By Coby Royer, Technical Product Manager for Symplified
Oct 11 2009 - I'd like to applaud some of the recent points that resonated with me raised by Richard Stiennon in his post, "Identifying and Countering the Insider Threat".
For a long time I have been recapitulating concerns to enterprises about managing the internal threat.
And with the recent economic downturn, layoffs and other sources of employee dissatisfaction are increasing the risks from internal threats. The fact is, corporate management must pay attention to the insider threat and implement policies and controls to manage it.
What to Do?
The one message I'd like to leave our readers with is well stated in Stiennon's article: "Identity and Access Management tools are the single most valuable defense you have against the insider threat."
Authentication
Employ authentication strength that is commensurate with risk and which complies with applicable rules and regulations.
Whether this means passwords or MultiFactor Authentication (MFA) such as biometrics or smartcards, be sure to invest in appropriate technologies and train your user base on tools and policy.
Provisioning
Be sure your processes and tools for the creation, removal, and management of accounts do not leave you exposed.
Entitlements and accounts for former employees must be revoked as quickly as possible. Use approval and/or attestation workflows and role based access control (RBAC) wherever possible.
And do not forget about privileged account management: "You cannot begin to get control over privileged accounts, IT administrators, or even software licensing costs until you enable an effective Identity and Access Management solution."
RBAC
Defining and enforcing roles is a huge topic. Although simple in theory, assigning roles to people and then setting access control according to role is non-trivial.
Bruce Schneier has some great info in his latest newsletter "Real World Access Control".
What may seem easy at first is complicated by poorly defined roles, constant role churn, multiple roles, and the pragmatic fact that under-entitling employees incurs productivity costs.
I like Stiennon's suggestions to keep it simple, start by defining groups for each function in the organization, and include tools for review of exceptions; as he puts it, "granular control over what people do on your networks and a means to enforce the policies that regulation and security best practices require."
Compliance and Reporting
Regular review of audit logs to see who has accessed what is important. Monitoring and logging are essential to understanding risk and detecting malicious activities.
Enter the Cloud
Of course, all the above take on new challenges once we leave the corporate four walls.
Technologies that extend the span of Authentication and Access Control to SaaS Apps are indispensible. Simply because an app is SaaS does not make it immune to regulatory needs.
What Now?
Listen to the experts! Employ processes and tools that manage the insider threat. Look at the facts: this threat is real.And all organizations have these risks. And of course, build you r single most valuable defense: IAM.
